%3CLINGO-SUB%20id%3D%22lingo-sub-1257372%22%20slang%3D%22en-US%22%3EAssigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1257372%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EToday%2C%20we%E2%80%99re%20excited%20to%20share%20that%20you%20can%20assign%20groups%20to%20Azure%20Active%20Directory%20(Azure%20AD)%20roles%2C%20now%20in%20public%20preview.%20Role%20delegation%20to%20groups%20is%20one%20of%20the%20most%20requested%20features%20in%20our%20%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F12938997-azuread-role-delegation-to-groups%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Efeedback%20forum%3C%2FA%3E.%20Currently%20this%20is%20available%20for%20Azure%20AD%20groups%20and%20Azure%20AD%20built-in%20roles%2C%20and%20we%E2%80%99ll%20be%20extending%20this%20in%20the%20future%20to%20on-premises%20groups%20as%20well%20as%20Azure%20AD%20custom%20roles.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20use%20this%20feature%2C%20you%E2%80%99ll%20need%20to%20create%20an%20Azure%20AD%20group%20and%20enable%20it%20to%20have%20roles%20assigned.%20This%20can%20be%20done%20by%20anyone%20who%20is%20either%20a%20Privileged%20Role%20Administrator%20or%20a%20Global%20Administrator.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Group%20roles%201.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212285i030927403CBAA20B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Group%20roles%201.png%22%20alt%3D%22Group%20roles%201.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20that%2C%20any%3CSPAN%3E%20of%20the%20Azure%20AD%20built-in%20roles%2C%20such%20as%20%3C%2FSPAN%3E%3CSPAN%3ETeams%20Administrator%20or%20SharePoint%20Administrator%2C%20can%20have%20groups%20assigned%20to%20them.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22group%20roles%202.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212286i18F19F1766FF17C3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22group%20roles%202.png%22%20alt%3D%22group%20roles%202.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20owner%20of%20the%20group%20can%20then%20manage%20group%20memberships%20and%20control%20who%20can%20get%20the%20role%2C%20allowing%20you%20to%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Beffectively%20delegate%26nbsp%3Bthe%26nbsp%3Badministration%20of%20Azure%20AD%20roles%3C%2FSPAN%3E%3CSPAN%3E%20and%3C%2FSPAN%3E%20%3CSPAN%3Ereduce%3C%2FSPAN%3E%3CSPAN%3E%20the%20dependency%20on%20Privileged%20Role%20Administrator%20%3C%2FSPAN%3E%3CSPAN%3Eor%20%3C%2FSPAN%3E%3CSPAN%3EGlobal%20Administrator.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20also%20use%20this%20along%20with%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fpim-configure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPrivileged%20Identity%20Management%20(PIM)%3C%2FA%3E%20to%20enable%20just-in-time%20role%20assignment%20for%20the%20group.%20With%20this%20integration%2C%20each%20member%20of%20the%20group%20activates%20their%20role%20separately%20when%20needed%20and%20their%E2%80%AFaccess%20is%20revoked%20when%20the%E2%80%AFrole%20assignment%E2%80%AFexpires.%3C%2FSPAN%3E%3CSPAN%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%E2%80%99ve%20also%20added%20a%20new%20preview%20capability%20in%20PIM%20called%20Privileged%20Access%20Groups.%20Turning%20on%20this%20capability%20will%20allow%20you%20to%20enhance%20the%20security%20of%20group%20management%2C%20such%20as%20just-in-time%20group%20ownership%20and%20requiring%20an%20approval%20workflow%20for%20adding%20members%20to%20the%20group.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22group%20roles%203.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212287i77F611DB575B26B4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22group%20roles%203.png%22%20alt%3D%22group%20roles%203.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAssigning%20groups%20to%20Azure%20AD%20roles%20requires%20an%20Azure%20AD%20Premium%20P1%20license.%20Privileged%20Identity%20Management%20requires%20Azure%20AD%20Premium%20P2%20license.%20To%20learn%20more%20about%20these%20changes%2C%20check%20out%20our%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2103037%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3Edocumentation%26nbsp%3B%3C%2FSPAN%3E%3C%2FA%3Eon%20this%20topic%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-groups-concept%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUse%20groups%20to%20manage%20role%20assignments%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fprivileged-identity-management%2Fgroups-features%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EManage%20Privileged%20access%20groups%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20we%E2%80%99d%20love%20to%20hear%20any%20feedback%20or%20suggestions%20you%20may%20have.%20Please%20let%20us%20know%20what%20you%20think%20in%20the%20comments%20below%20or%20on%20the%26nbsp%3B-ERR%3AREF-NOT-FOUND-Azure%20AD%20feedback%20forum.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(-ERR%3AREF-NOT-FOUND-%40Alex_A_Simons)%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1257372%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20AD%20now%20supports%20assigning%20groups%20to%20roles.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22group%20roles%20teaser.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212284iC632DDF23370B4FB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22group%20roles%20teaser.png%22%20alt%3D%22group%20roles%20teaser.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1257372%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588351%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588351%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20thank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588406%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588406%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%2C%3C%2FP%3E%3CP%3EAlex%2C%20when%20you%20will%20support%20on%20Prem%20AD%20sync%20groups%20thing%20about%20supporting%20nested%20groups.%3C%2FP%3E%3CP%3EWe%20have%20a%20complete%20tree%20structure%20for%20our%20IT%20and%20we%20use%20it%20to%20provide%20autorisation%20in%20AD%2C%20applications%2C%20%E2%80%A6%20actually%20we%20are%20obliged%20to%20assign%20O365%2FAzureAD%20role%20manually%20by%20user%20but%20if%20we%20can%20use%20our%20on%20prem%20tree%20structure%20it%20will%20be%20great.%20Our%20goal%20is%20to%20manage%20users%20within%20one%20team%20groups%20and%20then%20all%20authorization%20within%20our%20IT%20systems%20are%20setup%20correctly%20without%20needing%20to%20add%20accounts%20somewhere%20else.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588854%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588854%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20great%20feature%2C%20but%20I'm%20slightly%20concerned%20about%20abuse%2Fmisuse.%20Where%20a%20user%20is%20granted%20a%20role%20that%20allows%20them%20to%20edit%20group%20membership%2C%20which%20then%20allows%20them%20to%20add%20themselves%2C%20or%20others%20to%20groups%20that%20grant%20access%20to%20other%20privileged%20roles.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20on-prem%2C%20we%20can%20restrict%20certain%20sensitive%20groups%20to%20OUs%20with%20different%20permissions%20to%20protect%20them%2C%20but%20I%20don't%20believe%20this%20is%20possible%20with%20Azure%20AD%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1589215%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1589215%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5162%22%20target%3D%22_blank%22%3E%40Vincent%20VALENTIN%3C%2FA%3E%26nbsp%3B-%20Yes%2C%20supporting%20on-prem%20groups%20is%20on%20our%20roadmap.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1589224%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1589224%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F759568%22%20target%3D%22_blank%22%3E%40Wesley-Trust%3C%2FA%3E%26nbsp%3B-%20That's%20great%20observation.%20That's%20why%20we%20have%20put%20measures%20to%20protect%20these%20group%20so%20that%20there%20is%20no%20elevation%20of%20privilege.%20Only%20a%20Privileged%20Role%20Admin%20or%20a%20Global%20Admin%20can%20modify%20the%20membership%20of%20a%20role%20assignable%20group%20by%20default.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20take%20a%20look%20at%20this%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-groups-concept%23why-we-enforce-creation-of-a-special-group-for-assigning-it-to-a-role%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-groups-concept%23why-we-enforce-creation-of-a-special-group-for-assigning-it-to-a-role.%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1589255%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1589255%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E%26nbsp%3BFantastic%2C%20thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1590168%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1590168%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20still%20susceptible%20to%20the%20sync%20delays%20of%20the%20Primary%20Refresh%20Token%20in%20Windows%2010%20clients%2C%20right%3F%20Plus%20or%20minus%204%20hours%20of%20privileged%20access%20breaks%20%E2%80%9Cjust-in-time%E2%80%9D%20for%20me.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1591486%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1591486%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E%26nbsp%3BFor%20On-prem%20group%20you%20will%20support%20nesting%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1591709%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1591709%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5162%22%20target%3D%22_blank%22%3E%40Vincent%20VALENTIN%3C%2FA%3E%26nbsp%3B-%20We%20are%20working%20on%20design.%20It%20is%20difficult%20to%20commit%20anything%20at%20this%20time.%20Having%20said%20that%2C%20I%20really%20appreciate%20you%20sharing%20the%20scenario%20with%20us.%20It%20was%20very%20helpful.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1592625%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1592625%22%20slang%3D%22en-US%22%3E%3CP%3ECannot%20believe%20we%20managed%20to%20survive%20so%20long%20without%20it%20%3AD%3C%2Fimg%3E%20Excellent%20addition!%20Keep%20it%20up%20please!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1595648%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1595648%22%20slang%3D%22en-US%22%3E%3CP%3EOMG%20finally%2C%20have%20been%20waithing%20for%20this%20in%20ages.%3C%2FP%3E%3CP%3ETought%20there%20was%20som%20sort%20of%20an%20security%20issue%20since%20this%20feature%20has%20been%20unavailable%20for%20so%20long.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENice%20finally%20to%20se%20it%20comming%20to%20On-prem%20Groups%20to%20soon.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1602430%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1602430%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20very%20good%20that%20you%20have%20made%20measures%20against%20abuse%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E.%20However%20I%20did%20find%20a%20severe%20weakness%20now%20that%20allows%20for%20non-wanted%20elevation%20of%20privilege%20with%20these%20new%20role%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20using%20Azure%20AD%20Entitlement%20Management%20%26gt%3B%20Access%20Packages.%20Example%3A%3C%2FP%3E%3CP%3E-%20Group%20%22azuread-role-intune_administratror%22%20created%20and%20assigned%20to%20role%20%22Intune%20Administrator%22%20(created%20by%20global%20admin%20or%20privileged%20role%20admin)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20another%20user%2C%20%22USER%20X%22%20with%20the%20role%20%22User%20administrator%22%20can%20create%20an%20access%20package%20in%20Entitlement%20Management%2C%20and%20select%20%22azuread-role-intune_administrator%22%20as%20a%20resource%20role%20in%20the%20access%20package.%3C%2FP%3E%3CP%3ENow%20USER%20X%20can%20assign%20the%20access%20package%20to%20himself%20and%20will%20thus%20also%20be%20made%20a%20member%20of%20%22azuread-role-intune_administator%22%20effectively%20giving%20the%20user%20access%20to%20something%20it%20should%20have%20been%20able%20to%20do.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20happens%20because%20the%20Entitlement%20Management-engine%20apparently%20runs%20on%20very%20high%20privileges%20or%20is%20exempt%20from%20the%20security%20measures%20made%20for%20these%20new%20role%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20see%20this%20patched%2C%20but%20still%20be%20able%20to%20use%20the%20functionality%20of%20access%20packages%20with%20this%20new%20role%20group%20functionality.%20Maybe%20an%20extra%20check%20in%20Entitlement%20Management%20where%20the%20active%20roles%20of%20the%20user%20creating%20the%20user%20assignment%20can%20be%20assessed%20before%20allowing%2Fdisallowing%20the%20action%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1602504%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1602504%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F766218%22%20target%3D%22_blank%22%3E%40omega3%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%3CSPAN%3ETo%20put%20a%20role-assignable%20group%20into%20an%20access%20package%2C%20you%20must%20be%20a%20User%20Administrator%20and%20also%20owner%20of%20the%20role-assignable%20group.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESee%20this%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-groups-faq-troubleshooting%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-groups-faq-troubleshooting%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1603046%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1603046%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3EAha!%20I%20tested%20again%20now%2C%20and%20I%20realize%20I%20wrote%20the%20above%20scenario%20slightly%20wrong.%3C%2FP%3E%3CP%3EYou%20are%20correct%2C%20the%20User%20Administrator%20user%20were%20not%20able%20to%20add%20the%20role-assignable%20group%20to%20the%20access%20package%20(catalog)%2C%20but%20if%20there%20is%20an%20access%20package%20present%20with%20role%20assignable%20groups%20already%2C%20the%20User%20administrator%20is%20able%20to%20assign%20this%20access%20package%20to%20whoever.%3C%2FP%3E%3CP%3EI%20tested%20this%20again%20now%2C%20just%20to%20be%20sure.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1650930%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1650930%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20you%20able%20to%20share%20if%20this%20functionality%20will%20work%20with%20a%20mail-enabled%20security%20group%20in%20the%20future%3F%20That%20would%20help%20my%20use%20case%20considerably.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1650982%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1650982%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F442124%22%20target%3D%22_blank%22%3E%40MelissaCoates%3C%2FA%3E%26nbsp%3B-%20An%20Azure%20AD%20security%20group%20with%20mail-enabled%3Dtrue%20is%20supported.%20See%20this%20example%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fgroup-post-groups%3Fview%3Dgraph-rest-beta%26amp%3Btabs%3Dhttp%23example-3-create-a-group-that-can-be-assigned-to-an-azure-ad-role%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fgroup-post-groups%3Fview%3Dgraph-rest-beta%26amp%3Btabs%3Dhttp%23example-3-create-a-group-that-can-be-assigned-to-an-azure-ad-role%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%2C%20a%20mail-enabled%20security%20group%20that%20is%20mastered%20in%20Exchange%20is%20not%20supported.%20We%20do%20not%20have%20plans%20to%20support%20such%20type%20of%20groups%20right%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1665281%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1665281%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E%20Thank%20you%20very%20much%20for%20confirming.%20Yes%2C%20it's%20an%20Exchange-backed%20mailed-enabled%20security%20group%20that%20I'm%20after%20rather%20than%20a%20unified%20(M365)%20group.%20I%20was%20able%20to%20confirm%20that%20the%20Graph%20API%20does%20not%20currently%20support%20creating%20a%20mail-enabled%20security%20group%20(even%20prior%20to%20dealing%20with%20IsAssignableToRole).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFYI%2C%20my%20use%20case%20relates%20to%20Power%20BI%20administration.%20I%20intend%20to%20align%20my%20Power%20BI%20Administrator%20group%20with%20the%20Power%20BI%20Administrator%20role.%20In%20the%20Power%20BI%20tenant%20settings%2C%20there%20is%20one%20setting%20which%20requires%20a%20mail-enabled%20security%20group%20so%20a%20unified%20group%20won't%20work%20(this%20particular%20setting%20provides%20alerts%20if%20there's%20a%20service%20outage%20or%20incident).%20I%20can%20still%20make%20some%20headway%20with%20simplifying%20group%2Frole%20membership%20maintenance%20%26amp%3B%20reducing%20overall%20risk%20with%20the%20new%20capabilities%20discussed%20above%20in%20this%20post.%20The%20trade-off%20is%20treating%20that%20alerting%20group%20as%20a%20separate%20thing.%20Still%20a%20step%20forward.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1680957%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1680957%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20plan%20to%20allow%20nested%20groups%3F%26nbsp%3B%20Like%20Azure%20roles%20have%20it%20today%3F%26nbsp%3B%20I%20don't%20believe%20you%20should%20allow%20endless%20nested%20groups%2C%20there%20should%20be%20a%20limit%2C%20and%20the%20limit%20should%20be%20small%2C%20and%20only%20two%20layers%20deep.%3CBR%20%2F%3EI%20have%20a%20design%20like%20the%20following%3A%3CBR%20%2F%3ECompany-Specific-Groups%20(Such%20as%20Developers%2C%20Dev-Ops%2C%20Insfrastructure%2C%20Support%2C%20etc)%3CBR%20%2F%3EI%20have%20Azure%20Role%20Groups%20(Two%20for%20every%20role%20-%20One%20Active%2C%20one%20Eligible)%3CBR%20%2F%3EI%20place%20the%20users%20in%20the%20Company-Specific%20groups%2C%20place%20the%20Company-Specific%20groups%20into%20all%20the%20Azure%20Role%20Groups%20they%20require%2C%20and%20each%20Azure%20Role%20Group%20is%20permanently%20assigned%20to%20it's%20corresponding%20Azure%20role.%3CBR%20%2F%3EFor%20example%3A%3CBR%20%2F%3EXXX-Developers%20(Contains%20all%20developers)%3CBR%20%2F%3EXXX-Active-Subsc1-Contributor%20(One%20for%20each%20Azure%20role)%2C%20assigned%20permanently%20Active%20to%20Subscription%231's%20Azure%20Contributor%20role%3CBR%20%2F%3EXXX-Eligible-Subsc1-Contributor%20(One%20for%20each%20Azure%20role)%2C%20assigned%20permanently%20Eligible%20to%20Subscription%231's%20Azure%20Contributor%20role%3CBR%20%2F%3E%3CBR%20%2F%3EWith%20this%20design%2C%20when%20a%20new%20Developer%20joins%20the%20company%2C%20or%20leaves%3A%3CBR%20%2F%3E1.%20I%20simply%20add%2Fremove%20them%20from%20a%20single%20group%20to%20allow%2Frevoke%20everything%20a%20Developer%20needs%20access%20to.%3CBR%20%2F%3E2.%20It%20keeps%20the%20constant%20in%2Fout%20of%20PIM%20to%20a%20minimum%3CBR%20%2F%3E3.%20It%20keeps%20cleanup%20easy%20as%20there's%20not%20the%20leftover%20GUID%2FObjectID%20stuck%20in%20the%20role's%20assignment%20list.%3CBR%20%2F%3E%3CBR%20%2F%3EAuditing%20is%20a%20challenge%2C%20Access%20Reviews%20are%20a%20challenge.%26nbsp%3B%20But%20I'm%20hoping%20Microsoft%20is%20accounting%20for%20simplified%20designs%20like%20these.%26nbsp%3B%20Very%20recently%2C%20something%20changed%20with%20the%20AzureAD%20role-assignable%20groups%2C%20as%20I%20was%20able%20to%20assign%20groups%20to%20those%20AzureAD%20groups%2C%20but%20that%20has%20recently%20disappeared.%26nbsp%3B%20Was%20that%20a%20bug%3F%26nbsp%3B%20Something%20that%20should've%20never%20been%20released%3F%26nbsp%3B%20It%20offered%20hope%20that%20the%20design%20was%20going%20to%20be%20like%20Azure%20role%20groups.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1728130%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1728130%22%20slang%3D%22en-US%22%3E%3CP%3EMaximus%3A%20You%20should%20use%20Access%20packages%20in%20Entitlement%20Management%2C%20not%20nested%20groups.%20This%20would%20fulfill%20your%20purpose%20in%20a%20better%20way.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F84425%22%20target%3D%22_blank%22%3E%40Abhijeet%20Kumar%20Sinha%3C%2FA%3E%3A%20I%20am%20still%20worried%20about%20the%20security%20regarding%20my%20last%20comment%3A%3CBR%20%2F%3E%22You%20are%20correct%2C%20the%20User%20Administrator%20user%20were%20not%20able%20to%20add%20the%20role-assignable%20group%20to%20the%20access%20package%20(catalog)%2C%20but%20if%20there%20is%20an%20access%20package%20present%20with%20role%20assignable%20groups%20already%2C%20the%20User%20administrator%20is%20able%20to%20assign%20this%20access%20package%20to%20whoever.%3C%2FP%3E%3CP%3EI%20tested%20this%20again%20now%2C%20just%20to%20be%20sure.%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1730948%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1730948%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F766218%22%20target%3D%22_blank%22%3E%40omega3%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20feedback.%26nbsp%3B%20Yes%2C%20as%20part%20of%20this%20preview%2C%20in%20addition%20to%20documentation%20updates%2C%20we%20are%20also%20looking%20at%20updates%20to%20the%20use%20of%20existing%20and%20new%20directory%20roles%2C%20across%20entitlement%20management%20and%20other%20Azure%20AD%20features%2C%20so%20that%20customers%20can%20use%20the%20entitlement%20management%20and%20role-assignable%20groups%20features%20together%2C%20and%20have%20more%20finer-grained%20control%20on%20what%20catalogs%20and%20access%20packages%20are%20available%20for%20existing%20administrators%20to%20manage.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1783891%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1783891%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53477%22%20target%3D%22_blank%22%3E%40Alex%20Simons%20(AZURE)%3C%2FA%3E%2C%20any%20ETA%20on%20when%20the%20below%20two%20known%20issues%20(%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-groups-concept%23known-issues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Froles-groups-concept%23known-issues%3C%2FA%3E%26nbsp%3B)%20will%20be%20resolved%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CEM%3EAzure%20AD%20P2%20licensed%20customers%20only%3C%2FEM%3E%3A%20Don't%20assign%20a%20group%20as%20Active%20to%20a%20role%20through%20both%20Azure%20AD%20and%20Privileged%20Identity%20Management%20(PIM).%20Specifically%2C%20don't%20assign%20a%20role%20to%20a%20role-assignable%20group%20when%20it's%20being%20created%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Eand%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eassign%20a%20role%20to%20the%20group%20using%20PIM%20later.%20This%20will%20lead%20to%20issues%20where%20users%20can%E2%80%99t%20see%20their%20active%20role%20assignments%20in%20the%20PIM%20as%20well%20as%20the%20inability%20to%20remove%20that%20PIM%20assignment.%20Eligible%20assignments%20are%20not%20affected%20in%20this%20scenario.%20If%20you%20do%20attempt%20to%20make%20this%20assignment%2C%20you%20might%20see%20unexpected%20behavior%20such%20as%3A%3CUL%3E%3CLI%3EEnd%20time%20for%20the%20role%20assignment%20might%20display%20incorrectly.%3C%2FLI%3E%3CLI%3EIn%20the%20PIM%20portal%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EMy%20Roles%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ecan%20show%20only%20one%20role%20assignment%20regardless%20of%20how%20many%20methods%20by%20which%20the%20assignment%20is%20granted%20(through%20one%20or%20more%20groups%20and%20directly).%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3E%3CEM%3EAzure%20AD%20P2%20licensed%20customers%20only%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EEven%20after%20deleting%20the%20group%2C%20it%20is%20still%20shown%20an%20eligible%20member%20of%20the%20role%20in%20PIM%20UI.%20Functionally%20there's%20no%20problem%3B%20it's%20just%20a%20cache%20issue%20in%20the%20Azure%20portal.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3BThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1785155%22%20slang%3D%22en-US%22%3ERe%3A%20Assigning%20groups%20to%20Azure%20AD%20roles%20is%20now%20in%20public%20preview!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1785155%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F833767%22%20target%3D%22_blank%22%3E%40TechUser152%3C%2FA%3E%26nbsp%3B-%20We%20are%20working%20actively%20on%20it.%20The%20fix%20is%20a%20bit%20involved%2C%20so%20sharing%20the%20exact%20ETA%20is%20not%20possible.%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F207649%22%20target%3D%22_blank%22%3E%40Shaun%20Liu%3C%2FA%3E%26nbsp%3B%20-%20FYI.%3C%2FP%3E%3C%2FLINGO-BODY%3E

Howdy folks,

 

Today, we’re excited to share that you can assign groups to Azure Active Directory (Azure AD) roles, now in public preview. Role delegation to groups is one of the most requested features in our feedback forum. Currently this is available for Azure AD groups and Azure AD built-in roles, and we’ll be extending this in the future to on-premises groups as well as Azure AD custom roles.

 

To use this feature, you’ll need to create an Azure AD group and enable it to have roles assigned. This can be done by anyone who is either a Privileged Role Administrator or a Global Administrator.

 

Group roles 1.png

 

After that, any of the Azure AD built-in roles, such as Teams Administrator or SharePoint Administrator, can have groups assigned to them.

 

group roles 2.png

 

The owner of the group can then manage group memberships and control who can get the role, allowing you to effectively delegate the administration of Azure AD roles and reduce the dependency on Privileged Role Administrator or Global Administrator. 

 

You can also use this along with Privileged Identity Management (PIM) to enable just-in-time role assignment for the group. With this integration, each member of the group activates their role separately when needed and their access is revoked when the role assignment expires. 

 

We’ve also added a new preview capability in PIM called Privileged Access Groups. Turning on this capability will allow you to enhance the security of group management, such as just-in-time group ownership and requiring an approval workflow for adding members to the group.

 

group roles 3.png

 

Assigning groups to Azure AD roles requires an Azure AD Premium P1 license. Privileged Identity Management requires Azure AD Premium P2 license. To learn more about these changes, check out our documentation on this topic:

 

 

As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum.

 

Best regards,

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

 

22 Comments
Senior Member

Great thank you!

Contributor

Great,

Alex, when you will support on Prem AD sync groups thing about supporting nested groups.

We have a complete tree structure for our IT and we use it to provide autorisation in AD, applications, … actually we are obliged to assign O365/AzureAD role manually by user but if we can use our on prem tree structure it will be great. Our goal is to manage users within one team groups and then all authorization within our IT systems are setup correctly without needing to add accounts somewhere else.

Senior Member

This is a great feature, but I'm slightly concerned about abuse/misuse. Where a user is granted a role that allows them to edit group membership, which then allows them to add themselves, or others to groups that grant access to other privileged roles.

 

With on-prem, we can restrict certain sensitive groups to OUs with different permissions to protect them, but I don't believe this is possible with Azure AD?

@Vincent VALENTIN - Yes, supporting on-prem groups is on our roadmap.

@Wesley-Trust - That's great observation. That's why we have put measures to protect these group so that there is no elevation of privilege. Only a Privileged Role Admin or a Global Admin can modify the membership of a role assignable group by default.

 

Please take a look at this - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept#why-...

Senior Member

@Abhijeet Kumar Sinha Fantastic, thanks.

Occasional Visitor

This is still susceptible to the sync delays of the Primary Refresh Token in Windows 10 clients, right? Plus or minus 4 hours of privileged access breaks “just-in-time” for me. 

Contributor

@Abhijeet Kumar Sinha For On-prem group you will support nesting?

@Vincent VALENTIN - We are working on design. It is difficult to commit anything at this time. Having said that, I really appreciate you sharing the scenario with us. It was very helpful. Thanks!

Senior Member

Cannot believe we managed to survive so long without it :D Excellent addition! Keep it up please! :)

New Contributor

OMG finally, have been waithing for this in ages.

Tought there was som sort of an security issue since this feature has been unavailable for so long.

 

Nice finally to se it comming to On-prem Groups to soon.

Senior Member

That's very good that you have made measures against abuse, @Abhijeet Kumar Sinha. However I did find a severe weakness now that allows for non-wanted elevation of privilege with these new role groups.

 

By using Azure AD Entitlement Management > Access Packages. Example:

- Group "azuread-role-intune_administratror" created and assigned to role "Intune Administrator" (created by global admin or privileged role admin)

 

Now another user, "USER X" with the role "User administrator" can create an access package in Entitlement Management, and select "azuread-role-intune_administrator" as a resource role in the access package.

Now USER X can assign the access package to himself and will thus also be made a member of "azuread-role-intune_administator" effectively giving the user access to something it should have been able to do.

 

This happens because the Entitlement Management-engine apparently runs on very high privileges or is exempt from the security measures made for these new role groups.

 

I would like to see this patched, but still be able to use the functionality of access packages with this new role group functionality. Maybe an extra check in Entitlement Management where the active roles of the user creating the user assignment can be assessed before allowing/disallowing the action?

@omega3 - To put a role-assignable group into an access package, you must be a User Administrator and also owner of the role-assignable group. 

See this - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-faq-troubles....

 

Senior Member

@Abhijeet Kumar SinhaAha! I tested again now, and I realize I wrote the above scenario slightly wrong.

You are correct, the User Administrator user were not able to add the role-assignable group to the access package (catalog), but if there is an access package present with role assignable groups already, the User administrator is able to assign this access package to whoever.

I tested this again now, just to be sure.

Regular Visitor

Are you able to share if this functionality will work with a mail-enabled security group in the future? That would help my use case considerably. Thanks!

@MelissaCoates - An Azure AD security group with mail-enabled=true is supported. See this example - https://docs.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-beta&tabs=http#example-...

 

However, a mail-enabled security group that is mastered in Exchange is not supported. We do not have plans to support such type of groups right now.

Regular Visitor

@Abhijeet Kumar Sinha Thank you very much for confirming. Yes, it's an Exchange-backed mailed-enabled security group that I'm after rather than a unified (M365) group. I was able to confirm that the Graph API does not currently support creating a mail-enabled security group (even prior to dealing with IsAssignableToRole).

 

FYI, my use case relates to Power BI administration. I intend to align my Power BI Administrator group with the Power BI Administrator role. In the Power BI tenant settings, there is one setting which requires a mail-enabled security group so a unified group won't work (this particular setting provides alerts if there's a service outage or incident). I can still make some headway with simplifying group/role membership maintenance & reducing overall risk with the new capabilities discussed above in this post. The trade-off is treating that alerting group as a separate thing. Still a step forward.

Occasional Visitor

Is there a plan to allow nested groups?  Like Azure roles have it today?  I don't believe you should allow endless nested groups, there should be a limit, and the limit should be small, and only two layers deep.
I have a design like the following:
Company-Specific-Groups (Such as Developers, Dev-Ops, Insfrastructure, Support, etc)
I have Azure Role Groups (Two for every role - One Active, one Eligible)
I place the users in the Company-Specific groups, place the Company-Specific groups into all the Azure Role Groups they require, and each Azure Role Group is permanently assigned to it's corresponding Azure role.
For example:
XXX-Developers (Contains all developers)
XXX-Active-Subsc1-Contributor (One for each Azure role), assigned permanently Active to Subscription#1's Azure Contributor role
XXX-Eligible-Subsc1-Contributor (One for each Azure role), assigned permanently Eligible to Subscription#1's Azure Contributor role

With this design, when a new Developer joins the company, or leaves:
1. I simply add/remove them from a single group to allow/revoke everything a Developer needs access to.
2. It keeps the constant in/out of PIM to a minimum
3. It keeps cleanup easy as there's not the leftover GUID/ObjectID stuck in the role's assignment list.

Auditing is a challenge, Access Reviews are a challenge.  But I'm hoping Microsoft is accounting for simplified designs like these.  Very recently, something changed with the AzureAD role-assignable groups, as I was able to assign groups to those AzureAD groups, but that has recently disappeared.  Was that a bug?  Something that should've never been released?  It offered hope that the design was going to be like Azure role groups.

Senior Member

Maximus: You should use Access packages in Entitlement Management, not nested groups. This would fulfill your purpose in a better way.

@Abhijeet Kumar Sinha: I am still worried about the security regarding my last comment:
"You are correct, the User Administrator user were not able to add the role-assignable group to the access package (catalog), but if there is an access package present with role assignable groups already, the User administrator is able to assign this access package to whoever.

I tested this again now, just to be sure."

Microsoft

@omega3 thanks for your feedback.  Yes, as part of this preview, in addition to documentation updates, we are also looking at updates to the use of existing and new directory roles, across entitlement management and other Azure AD features, so that customers can use the entitlement management and role-assignable groups features together, and have more finer-grained control on what catalogs and access packages are available for existing administrators to manage.

Occasional Visitor

@Alex Simons (AZURE), any ETA on when the below two known issues ( https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept#know... ) will be resolved?

 

  • Azure AD P2 licensed customers only: Don't assign a group as Active to a role through both Azure AD and Privileged Identity Management (PIM). Specifically, don't assign a role to a role-assignable group when it's being created and assign a role to the group using PIM later. This will lead to issues where users can’t see their active role assignments in the PIM as well as the inability to remove that PIM assignment. Eligible assignments are not affected in this scenario. If you do attempt to make this assignment, you might see unexpected behavior such as:
    • End time for the role assignment might display incorrectly.
    • In the PIM portal, My Roles can show only one role assignment regardless of how many methods by which the assignment is granted (through one or more groups and directly).
  • Azure AD P2 licensed customers only Even after deleting the group, it is still shown an eligible member of the role in PIM UI. Functionally there's no problem; it's just a cache issue in the Azure portal.

 Thanks!

@TechUser152 - We are working actively on it. The fix is a bit involved, so sharing the exact ETA is not possible. 
@Shaun Liu  - FYI.